Зубанов Ф.В. - Active Directory. Подход Профессионала

172 Active Directory:

SAM, REGBACK REGREST;

BDC, PDC. Windows 2000.

, -, , , . - . , , .

, . , Windows NT NetBIOS CENTRAL; Windows 2000 mycorp.ru. - , NetBIOS- MYCORP. , NetBIOS- - CENTRAL. - : - CENT-RAL, .

Windows / Windows 2000 \ Windows NT

Windows NT Windows 2000

NetBIOS- DNS- - CrossRef, - CN=Partitions,CN=ConfigurationXHMfl

DCPROMO Active Directory SAM: -, , .

Active Directory 173

. , (). - , .

Users Computers Builun Users Users

Kerberos - TGT, - - . - , -. , , . Windows NT, . PDC Windows 2000 - Windows 2000 Windows NT 4.0.Windows 2000 . - ( -, ), BDC . - PDC. Windows 2000-, PDC, BDC PDC. Windows 2000, PDC. , BDC .

PDC, Windows2000, , . . , .

? -, -. - . 100% - Windows 2000, , , NT 4 .


, DCPROMO , , - . Windows NT , .

1. , Windows NT. SAM BDC.

2. BDC, , PDC, - .

, , - , .

- Active Direc-tory Windows 2000 Server. , , . .

(RID) (SID), Windows 2000 . , - , -, Active Directory.

-: Windows NT 4-0 Windows 2000 -,

. FRS LMRepl. Windows NT , Windows 2000. PDC LMRepl. Windows NT. .

PDC BDC LMRepl.

Active Directory 1 /!.

Lbridge.cmd Windows 2000 ServerResource Kit. , - Windows 2000, SYSVOL Export Windows NT, LMRepl.

Lbridge.cmd . robocopy Windows 2000Server Resource Kit.

Windows 2000

Windows 2000

Windows NT

- Windows 2000 Windows NT , . - - . - - .

Windows 2000 . :

ActiveDirectory ; ;

7-2005


:'

t ,, fc,_ _ p.

1

**

4PING, NSLOOKIJP

tfla6

WINNT32

!7

;

a

29

FDC

3 ]|

Jla yi

*10

DCPHOMO

I11

t 13

*14

1

55

DCPROMO ? _

Net Start

WinNT4

!nyxrjyDNS

12DCPROMO.LOG

DCPROMOU-LOQ

1EFIOGON,NETLOGON

* NEROGON.DNS

DNS _ ?

1 19

i.'

?

1

1i24

LBndge.cmd

J

LH MSBACKUP|(C:\, System state)

j

26

AD ? __

FRS ?

LMBepl

REPADMINREPLMON

23SYS\OI

J ssr

1

Active Directory

j

27NTDSUT1L,

Sites S Services,DNS

2 | '

Windows NT


4 ; . . - Windows NT 4.0;

- .

- .

: - , - - Windows NT 4.0.

-: , , , .

Windows NT 4.0

Windows NT - : , , , . - , .

, -. DNS, DHCP, WINS, DCPROMO , Windows NT 4.0 , - Windows 2000. , - , , - . , , - Microsoft Technet. , - , (support.microsoft.com).

- , - , , . - .

Active Directory

Active Directory-. , , , . . - , -.

. , SAM WindowsNT . -, -, . - Windows NT . - Windows NT -.

Active Directory - . , - -. , , - ...

, , Active Directory,, ! , - , ., . , , - , .


Windows NT , , .

Windows 2000 . - , - . -, , , , , .

- , - .

, , Active Director}'. ?

Active Director)1 , :

;

;

+ .

, . , . . . - . - .

(), , , :

, - ;

; - , - isMemberOfPartialAttributeSet, - True.

.

, Active Directory . , -*, .


- . Active Directory .

, . , - - .

. .

, - . Active Directory . . - , - .

. - : , - , - -. - ,

; (-). , - - . - .

: , - -, - . -, , - . - , - - . , . - Active Directory .


Active Director}' . , - . , - , , . , - . - , , - , .

Active Directory

, - Active Directory. 0 (. ). * , , , -, , . . ., . , . - .

* 5 , 30 . , . - .

1.,

, 2

: HKLM\System\ CurrentControl-Set\Services\NTDS\Paramel:ers. Replicator/Notify pause after


modify (sec) 300. Replicator notify pause between DSAs(sec) 30.

- . , - ( ) , 5- 15 ( , . ). - , Active Directory Sites and Services.

, , - . , , - .

Active Directory . LDAP- , - . . - , , - (originating update) . , - .

USN

, , , - , . -, ? - (USN update sequence number).USN . - USN 1. - USN . , USN - , , - . - USN : - USN .

USN . . -

184 Active Directory: _

USN, - . .

- USN . repadmin /shcwmeta


, , 1. - , 1.

, .

DSA GUID , .

repadmin /showmeta

. rt_IjJD Active Directory:

. ? , - . Active Directory -. . , - . :

isDeleted true;

, , , Active Directory;

, LDAP-;

+ objectGuid, objeccSid, distin-guishedName, nTSecurityDescriptor usnChanged;

.

, - , , . , ActiveDirectory. Active Directory 12 -. , , . , ActiveDirectory. -. 60 . , .

(tombstonelifetime) (garbagecolperiod) , - CN=Directory Service,CN=Win-dows NT,CN=Services,CN=Configuration,.

. - (, ).

, . GUID , - .

USN 2763. I.


USN - , 1. : , .

- . 7.

UsnCreated: 2764

givennameuserPassword

USN

276427642764

111

UsnChanged: 2764

22:34-4222:34-4222:34.42

DSA

USN

276427642764

, .

5 DCA -, DCB, , . - USN DCB 1533- USN 1. usnChanged usnCreated. .

UsnCreated: 1534 UsnChanged: 1534


USN

153415341534

111

22:34.4222:34.4222:34.42

DSA

DCA

DCADCA

USN

276427642764

.

, DCB. USN 2211 ( - ). , USN - 1,

UsnCreated: 1534 UsnChanged: 2212

USN

DSA USN


1534 1 15 1

2212 2

22:34.42 DCA22:34.42 DCA09:30.00 DCB

276427642212

1_88 Active^ Directory:

, USN userPassword, - usnChanged . , - DCB.

DCA, USN 3517. - :

UsnCreated: 1534


USN

153415343518

112

UsnChanged: 3518

22:34.4222:34.4209:30.00

DSA

DCADCADCB

USN

276427642212

, usnChanged USN. - .

- , . , - , . , - , , , , , , . , , . , ( ), , -. . -, , - , - . - (high watermark) (up-to-datenessvector).

. . , - - , -. -, - - , .


, USN, - . - USN . - . , - - - . - , usnChanged - , -. , , - . -.

- . GUID , , USN. - . Active Directory replUpToDateVector . - , - . . , , , , , . , .

-. --' - , " - -. Active Directory - , , -, , . . , .

. DC1-DC4. , - DC1 DC2 , , - DC4.


DC2

USN2053

DCS

USN 1217

USN DC1 4711, DC2 -2052. DC3 1217. DC4 3388. - DC4 :

DC4

GUID

DC1DC 2

USN

47112050

DC4

GUID

DC1DC3

USN

47111217

DC2 . USN 1 2053.

DC2 - DC1 . , USN DC 1, , , - USN 1, . . 4712. , , DC1 -, DC2.

DC1 DC4 . DC4 GetChange. .

, (NC).

DC4 (. . ), ,

Actjvejireclofy 191

. , DC4 .

USN, DC1 . ( 4711.)

, - ,

, -,

+ .

, - .

DC1 DC4 , - USN , , -, . , . - DC4 :

DC4 DC4

GU1D GUID

USN USN

DC1 4711 DC1 4712

DC2 2053 DC3 1217

DC2, , DC1, - DC3. , DC1, USN 1218.

DC3 DC4 , - , . - (. . DC2) - (2053), DC3 , USN . - DC4 :

DC4 DC4

GUID GUID

USN USN

DC1 4711 DC1 4712DC2 2053 DC3 1218

Active Directory;

DC4 , - (DC1 DC3), , -. , - , -.

, , -. LDAP - . .

Active Directory '

- Add Move ,

Modify -. Add Move - . - Add Move 1 - R. 2

. LostAndFound

, - - , : rdn ABC, - ABC'CNF:, CNF , - -, a GUID GUID

, .

Active Directory -,


. Knowledge Consistency Chec-ker (). - . ? 15 , , . - , , . , - , . . - .

Active Direc-tory . , , - - . , - , - , -, , , - . , - - . , - . - , .

Active Direc-tory, :

;

;

+ ;

+ ;

;

.

Active Directory -. . - Active Directory.

-, . . - . - . , NTDS Settings, .


- . . , , - , .

, , - , , -. , - , . , .

. - , , . - , . -. . , '.

- . - . , - (. ' Active Directory).

, , , . , . , , IP. , - , - SMTP. .

? , Windows 2000 . RPC IP SMTP. - , . .

- RPC IP. . .

RPC IP, SMTP. . - .


+ SMTP - . - RFC IP . -, SMTP - , .

:

-

RPC IP

'

RPC IPSMTP

Active Directory , - , , -, , . ,. . . 10 , - .

, , , . . - , , - .

, RPC IP. , - . -, , . .

RPC TCP. Active Directory, RPC 135.


RFC , ActiveDirectory. - Active Directory . ( , Active Direc-tory, , - .)

. HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters TCP/IP Port. , - .

SMTP

, RPC, a SMTP . -, , , - SMTP -, SMTP - . , , - , , , .

SMTP , , , .

, . .

RPC, SMTP -, :

- ;

Active Directory , - ; :

;

, , ;

, - ;

, TCP.

Active Directory 1_97

, SMTP , .

. , -? , - . -, - - !1 -, , , . , . , , -. SMTP - .

SMTP , .

, IP, - SMTP. , , , - .400.

100 1 000 , 0,01 . , 1/1 000 000 (. . 100 1 000 ). : - 1 . , - .

, HKLM\System\CurrentControlSet\Semces\NTDS\Para-meters. .

,

Replicator inira sitepacket size (objects)Replicator into sitepacket size (bytes)Replicator inter sitepacket size (objects)Replicator inter sitepacket size (bytes)Replicator async inter sitepacket size (objects)Replicator async inter sitepacket size (bytes)

RFC RPC RPC RPC ' SMTP SMTP

1

10

1

10

1

10

1_98 Active Directory:

\

, . .

: , , .

. , - : . , .

. .

, , . DC2 DC3- , - , : DC1 DC2. , - DC2 DC3 .

. .

, - ? , . , , , GUID . - , GUJD, , , - .

, - . ? -, - , .

: - 3 (hops) .


: , . & ,

5 ( - ) , - 15 .

, - 7. , . . , - , . , 8 . - .

, DC1. - , , DC1 DC5 - 4 . ,


, DC5. : - DC1.

1

3

, DC3- , DC7. .

, , . , - .

, . , - : DC1 DC5 DC3 DC7 - DC2 DC4 - DC6 DCS. , DC2 DC5, - DC7, , , * * . , , . - .

, . , , . . -


, .

. , , - -, . 8 - , .

, .

, . Active Directory - , -, , , . , -, , -.

, - . . . , .

DCB2

DCB4 DCB3

$>

7, 3 : - .


. .

- . , , - . . , - . 5 .

15 . , 15 .

. HKLM\SYSTEM\CurrentControl-Set\Services\NTDS\Pararneters. - Repl topology update delay (sees). 300. , DNS - , 500 . - Repl topology update period (sees), 900 .

? .

1. , ActiveDirectory, , :

, ;

, ; ,' , .

2. Active Directory, , , , .

. , -, -/ . - . - Knowledge Consistency Checker* HKLM\SYS-TEM\CurrentControISet\Services\NTDS\Diagnostics. 3 , , -


, - .

.

.

Active Directory Sites and Services - .

ADSIEdlt Ldp CN=NTDS Site Settings,CN=,CN=Sites,CN=Configura-1,


, - .

1STG Active Directory , - , .

, .

30 . - site generatorrenewal interval (minutes) HKLM\SYSTEM\Current-ControlSet\Services\NTDS\Parametcrs. . , , , . -nojii (, ISTG. , - ISTG, - site generator fail-over (minutes) .'

. - Active Directory, , GUID . - - . .

, - , interSiteTopology-Generator CN=NTDS Site Settings,CN=,CN=Sites,CN=Configura[ion.


(1+D)*S"2


On Error Resume Next'

wscript.echo " ..."set localMachine=GetObject("LDAP://localhost/rootdse")if err.number 0 then ReportErrorWscript.QuitServerName=localmachine.get("dnsHostName")if err.number 0 then ReportErroriWScript.Quitwscript.echo " " + ucase(ServerName)

' configNC=localMachine.get("configurationNamingContext")if err.number 0 then ReportErrorWscript.Quitwscript.echo " : " + configNC

' SitesSet ObJSites = GetObject("LDAP://" & ServerName & "/CN=Sites,"

& configNC)objSites.filter = array("Site")For each obj in ObJSiteswscript.echo " : " + obj.CNSet SiteSettings = Obj.GetObjectC'nTDSSiteSettings", "CN=NTDS Site

Settings")

' optionsorigOptions=SiteSettings.Get("options")if hex(err.number) = "8000500D" then origOptions=0

elseif err.njmber=0 then' elseReportErronWscript.Quitend ifmodOptions=origOptions

', if lcase(Args(0))="/disable" then' , , if modOPtions And 16 thenwscript.echo " .

."elsemod20ptions=modOptions Or 16wscript.echo " . ."

. . .


SiteSettings.Put "options", mod20ptionsSiteSettings.Setlnfoif err.number 0 then' , if hex(err.number) = "8000500D" then' elseReportErrorscript.echo " options."script.echo " ."wscript.echo " ."Wscript.Quitend ifend ifend ifelse' , ,

,if modOPtions And 16 thenwscript.echo " .

."mod2Qptions=modO,ptions XOr 16SiteSettings.Put "options", mod20ptionsSiteSettings.Setlnfoif err.number 0 then' , if hex(err.number) = "8000500D" then' elseReportErrorwscript.echo " options."wscript.echo " ."wscript.echo " ."Wscript.Quitend ifend ifelsewscript.echo " .

."end ifend ifNext

End Sub

8-2005


VBS :

cscript


, -. , - . , - -; , .

. , - . - , , .

, - ? , , - . , - , .

-, . - 15 , - , -, 15 . Active Directory, - . . Windows 2000 Windows NT 4.0 Windows 2000.


Windows 2000 Windows 2000 Windows 2000 Windows NT 4.0

LSA ( ) RID-

- LSA ( )

, , . . , , , - , 15 , - ID.

Syntax

, . - options , . - ADSIEdit Ldp. , -


DEFAULTIPSITELINK, - Active Directory CDEFAULTIPSITEUNK,CN=IP, CN=Inter-Site Transports, CN=Sites, CN=Configuration,. options 1 ( ), , - .

- Active Directory7

, . , IP, SMTP.

- , - .

- . Windows NT - , Windows 2000 . . , , . - . - . - , . , .

Windows NT , . - Windows 2000. - , PDC, , . , , , PDC, .

. . - HKLM\SYSTEM\CurrentControlSet\Services\NetIogon\Parameters AvoidPDCOnWan. . 1, PDC -


. . .

, , , - , - , 1 AvoidPDCOnWan 1 ,:

PDC;

+ PDC, , , ;

.

2,- - -^ "

5. -

1 AvoidPDCOnWan

AvoidPDCOnWan - 1 PDC, - . SP2.

Active Directory :

;


;

DNS-,

;

(, - , IPSec);

.

- , - . , - : .

Support tools, -, . Windows 2000 Resour-ce Kit , - , .

, . , ;

+ -, Active Directory;

+ Active Directory Sites and Services, - Replicate now; , - .

, . - . .

, - GUID. GUID DNS _msdcs.( . Active Directory). - Nslookup.

, - repadmin ( ) replmon ().

Active Directory DsaStat. - Active Directory


. , .

-. -, , . , - . , : - , - .

. , - , ( - ), DNS.

. , - Active Director)' Sites and Services.

, - . , , , . .

, , . . - .

- :

Active Director)7 Sites and Services;

repadmin /showreps;

Replication Monitor.

Active Directory Sites and Services

, . , ' . , - .

, , :


, !

'

1

*iActive Directory Sites and Service; j

Ustes,f j Inter-Site Transports I) SiteA

Servers- MIDI 1 ROOTI

5* |- | ROOTS

3 S**6

Subnets

J

Jtenw_^ L?r;>rft ? u4L_, J !SE^ 1 JS^ L- _ ^automatic ally general .. MlDi SiteB Comectior

216 Active Directory^

. , - , - .

==== INBOUND NEIGHBORS ======================================

CN=Schema,CN=Configuration,DC=mycorp,DC=ruDefault-Flrst-Site-Nante\MID1 via RFC

obJectGuid: 19c9dbc3-d5d2-47cc-94e3-5135adfc4t>cbLast attempt 2002-05-07 13:00.52 failed, result 8524:

Can't retrieve message string 8524 (Ox214c), error 1815,Last success 0 2002-05-06 19:52.36.4 consecutive failure(s).

Default-First-Site-Name\ROOT2 via RPCob]ectGuid: a6563eaf-9a97-40a9-9c28-23ba4f348593Last attempt @ 2002-05-07 13:39.47 was successful.

, - :ROOT2 MIDI, , IP (RPC IP). - ROOT2 , - MIDI , - . - .

CN=Configuration,DC=mycorp,DC=ruDefault-First-Site-Name\MID1 via RPC

objectGuid: 19c9dbc3-d5d2-47cc-94e3-5135adfc4bcbLast attempt 9 2002-05-07 13:01,13 failed, result 1722:

Can' t retrieve message string 1722 (), error 1815.Last success @ 2002-05-06 21:48.10.2 consecutive failure(s).

Default-First-Site-Name\ROOT2 via RPC

objectGuid: a6563e8f-9a97-40a9-9c28-23ba4f348593Last attempt @ 2002-05-07 13:39.47 was successful.

- mycorp.ru. ROOT2, - ,

DC=mycorp,DC=ruDefault-First-Site-Name\ROOT2 via RPC

ObjectGuid: a6563e8f-9a97-40a9-9c28-23ba4f348593Last attempt @ 2002-05-07 13:39.47 was successful.

, -


. , msk.mycorp.ru - MIDI, .

DC=msk,DC=mycorp, DC=ru

Default-Flrst-Site-Name\MID1 via RPC

object-Quid: 19c9dbc3-d5d2-47cc-94e3-5135adfc4bcb

Last attempt 2002-05-07 13:02.16 failed, result 1722:

Can't retrieve message string 1722 (), error 1815.

Last success @ 2002-05-06 21:47.40.

2 consecutive fallure(s).

-, ROOT1.

==== OUTBOUND NEIGHBORS CHANGE NOTIFICATIONS ============

. : ROOT2 MIDI. , - . repadmin .

CN=Schema,CN=Configuration, DC=tnycorp, DC=ruDefault-First-Site-Name\HID1 via RPC

ObjectGuid: 19c9dbc3-d5d2-47cc-94e3-5135adfc4bcbDefault-First-Site-Name\ROOT2 via RPC

objectGuid: a6563e8f-9a97-40a9-9c28-23ba4f348593CN=Configuration,DC=mycorp,DC=ru

Default-Flrat-Site-Name\HID1 via RPCobjectGuid: 19c9dbc3-d5d2-47cc-94e3-5135adfc4bcb

Default-First-Site-Name\ROOT2 via RPCobjectGuid: a6563e8f-9a97-40a9-9c28-23ba4f348593

mycorp.ru . msk.mycorp.ru . , - msk.mycorp.ru, . , .

DC=mycorp,DC=ruDefault-First-Site-Name\ROOT2 via RPC

objectGuid: a6563e8f-9a97-40a9-9c28-23ba4f348593

- . . -, , ,


* - . repadmin .

, , repadmin /sbowreps

, - , repadmin /showconn.

Replication Monitor

- , . , , Replication Monitor. , repadmin.

,- File. - .

, - , , , , .


Slalusasol (HE 57

SBVH has snen charges for rhis direc Ihrougl- USN 6595

> Direct Replication Pane

sUSN 555

MS successful 1 look place at 6/29/2002 >36 2

of. 6/2/2012 0:38 52

has seen at changes lor itiis director partition through USN GSD?

Direct RepktMion PelnM Dgla

SBVH is cuienl Ihrough PropHto Update USN: 655

Iba iBOTcdion mft was tuccesslul.

has seen al changes a this irectoiy paation


Replication Monitor

. . - Active Directory - , -.

DsaStat

DsaStat , - . , - . ROOT1 ( ) ROOT2. :

dsastat -s: rootl; root2 -b:dc=rnycorp,dc=ru -gcattrs:objectclass -p:16 -filter:(objectclass=user)

( - dsastat). -s. , , , LDAP-. , - 328.


:

Stat-Only mode,

llnsorted mode.

Opening connections...rootl..,success.

- :

Connecting to rootl...reading,..**> ntHixedDomain = 0reading...+*> Options = 1

Setting server as [rootl] as server to read Config Info...root2...success.

Connecting to root2.,.reading...**> ntHixedDomain = 0

reading...LocalException ; Cannot get Options .Generation Domain List on server rootl...> Searching server for GC attributes OID listRetrieving statistics...Paged result search...Paged result search.,....(Terminated query to rootl, )...(Terminated query to root2. )

( ).

-=!*** DSA Diagnostics ***|=-Objects per server;Obj/Svr rootl root2 Totalcomputer 2 2 4user 7 6 13

9 8 17FAIL Server total object count mismatch

, user . , - . , . , 500 , ,

222 Active Directory: ^

1-2 , - . , , , - , :

15-20 ;

, - ; , , - dsastat;

.

, - .

Bytes per object:

computer 164user 429

Bytes per server:

rootl 313root2 280

Checking for missing replies,..No missing replies! INFO: Server sizes are not equal (min=313,max=280).

, . - .

*** Different Directory Information Trees. 1 errors (see above). ***FAIL -= FAIL =-closing connections...

rootl; root2;

Dcdiag repadmin. , ,


. . , .

dcdiag /test:replications /a

:

DC Diagnosis

performing initial setup:Done gathering initial info.

Doing initial non sklppeable testsTesting server: Default-First-Site-Name\ROOT1

Starting test: ConnectivityROOT1 passed test Connectivity

. , - IP, ping . ROOT1 , MIDI, , , - . , - .

Testing server; Default-First-Site-Name\MID1Starting test: Connectivity

Server MIDI resolved to this IP address 10.1.2.2,but the address couldn't be reached(pinged), so check the network.The error returned was: Win32 Error 11010This error more often means that the targeted server isshutdown or disconnected from the network

HID1 failed test Connectivity ROOT2 .

Testing server: Default-First-Slte-Name\ROOT2Starting test: Connectivity

ROOT2 passed test Connectivity

, . - MIDI,

Doing primary testsTesting server: Default-First-Site-Name\ROOT1

Starting test; Replications[Replications Check,ROOT1] A recent replication attempt failed:

From MIDI to ROOT1Naming Context: CN=Schema,CN=Configuration,DC=mycorp,DC=ru

The replication generated an error (1722):

Win32 Error 1722The failure occurred at 2002-05-07 19:10.02.

The last success occurred at 2002-05-06 19:52.36.


11 failures have occurred since the last success.

The source remains down. Please check the machine.

[Replications Check,ROOT1] A recent replication attempt failed:

From MIDI to ROOT1

Naming Context: CN=Configuration, DC=roycorp,DC=ru


Win32 Error 1722

The failure occurrad at 2002-05-07 19:10.44.

The last success occurred at 2002-05-06 21:48,10.9 failures have occurred since the last success,The source remains down. Please check the machine.

[Replications Check,ROOT1] A recent replication attempt failed:From MIDI to ROOT1Naming Context: DC"msk,DC=mycorp,DC=ruThe replication generated an error (1722):Win32 Error 1722The failure occurred at 2002-05-07 19:11.26.The last success occurred at 2002-05-06 21:47.40.9 failures have occurred since the last success.The source remains down, Please check the machine.

ROOT1 passed test Replications

, . , , - .

MIDI, , . - :

Testing server: Default-First-Site-Name\MID1

Skipping all tests, because server MIDI isnot responding to directory service requests

- MIDI ROOT2 - , - .

Testing server: Default-First-Site-Name\ROOT2Starting test: Replications

[Replications Check,RQOT2] A recent replication attempt failed:From MIDI to ROOT2

Naming Context: CN=Echeffla,CN=Configuration,DC=mycorp,DC=ruThe replication generated an error (1722):Win32 Error 1722The failure occurred at 2002-05-07 18:50.46.


The last success occurred at 2002-05-06 19:53.29,

10 failures have occurred since the last success,


[Replications Check,ROOT2] A recent replication attempt failed:

From MIDI to ROOT2

Naming Context: CN=Configuration,DC=mycorp,DC=ru


Win32 Error 1722

The failure occurred at 2002-05-07 18:50.25,

The last success occurred at 2002-05-06 21:48.38.

8 failures have occurred since the last success.


HOOT2 passed test Replications

Running enterprise tests on : mycorp.ru

Repadmin

repadmin. - . , , - . , -? repadmin getchanges:

repadmin /getchanges dc=tnycorp,dc=ru root2.mycorp.ru a4818f4f-bd9a-4dd9-b8f9-f4e26a84eb7a

, mycorp.ru root2 , - GUID .

-. USN ( -):

Building starting position from destination server root2.mycorp.ru

Source Neighbor:

dc=mycorp,dc=ru

Default-First-Site-Name\ROOT1 via RPC

objectGuid: a4818f4f-bd9a-4dd9-b8f9-f4e26a84eb7a

Address: a4818f4f-bd9a-4dd9-b8f9-f4e26a84eb7a._msdcs.mycorp.ru

ntdsDsa invocationld: a48l8f4f-bd9a-4dd9-b8f9-f4e26a84eb7a

WRITEABLE SYNC_ON_STARTUP DO_SCHEDULED_SYNCS

USNs:' 4798/OU, 4798/PU

Last attempt a 2002-05-07 20:05.51 was successful.

226 Active Directory;

:

Destination's Up To Dateness Vector:2ff7fbaa-6607-472c-b3a5-CCf8445de5bf 9 USN 4973

a4818f4f-bd9a--4dd9-b8f9-f4e26a84eb7a @ USN 4847

, ,

( sn) CN=u2,OU=test,DC=mycorp,DC=ru:

== SOURCE DSA: a4818f4f-bd9a-4dd9-b8f9-f4e26a84eb7a._msdcs.mycorp.ru ==

Objects returned: 1(0) modify CN=4j2,OU=test,DC=mycorp,DC=ru

1> objectGUID: db92fe3;J-d14a-49b9-98ae-ec905ec39bf11> sn: Petrov

1> instanceType: 4

. . USN. , :

Source Neighbor:

dc=mycorp,dc=ruDefault-First-Site-Name\ROOT1 via RPC

objectGuid: a4818f4f-bd9a-4dd9-b8f9-f4e26a84eb7aAddress: a4818f4f-bd9a--4dd9-b8f9-f4e26a84eb7a._msdcs.mycorp.runtdsDsa iwocationld: Ei4818f4f-bd9a-4dd9-b8f9-f4e26a84eb7aWRITEA8LE SYNC_ON_STARTUP DO_SCHEDULED_SYNCS

USNs: 4850/OU, 4850/PULast attempt @ 2002-05-07 20:12.37 was successful.

Destination's Up To Dateness Vector:

2ff7fbaa-6607-472c-b3a5-ccf8445de5bf 0 USN 4989

a4818f4f-bd9a-4dd9-b8f9-f4e26a64eb7a 9 USN 4860

== SOURCE DSA: a4818f4f-bd9a-4dd9-b8f9-f4e26a84eb7a.jnsdcs.mycorp.ru ==

No changes.

-. 1JSN. :

repadmin /showmeta CN=u2,OU=test,DC=mycorp,DC=ru

. . , - root2. , USN sn. 450, . . , USN .

Active Directory . 227

Loc.USN Originating DSA Org.USN Org.Time/Date Ver Attribute

4678 Default-First-Site-Name\ROQT1 4678 2002-05-07 18:03.21

1 objectClass

4678 Default-First-$ite-Name\RQQT1 4678 2002-05-07 18:03.21

1 en4850 Default-FirST-Site-Narne\ROQT1 4850 2002-05-07 20:09.15

4 sn

4679 Default-First-Site-Name\ROQT1 4679 2002-05-07 18:03.22

1 description

4678 Default-Fir5t-Site-Name\ROOT1 4678 2002-05-07 18:03.21

1 givenName

4678 Default-First-Site-Name\ROOT1 4678 2002-05-07 18:03.21

1 instanceType4678 Default-First-Site-Name\ROOT1 4678 2002-05-07 18:03.21

1 whenCreated

4679 Default-First-Site-Name\ROOT1 4679 2002-05-07 18:03.22

1 displayName

, , , USN . ., , Replication Monitor, . - . . .

, . .

, , ,

Active Directory Replication MonitorPrinted on 07.05.2002 20:45:06This report was generated on data from the server: ROOT1

ROOT1, . -. , repadmin? - , , .

ROOT1 Data

This server currently has writable copies of the following directory

228 Aclive Directory:

partitions:

CN=Schema,CN=ConfIguration,DC=mycorp, DC=ruCN=Configuration,DC=mycorp,DC=ruDC=mycorp,DC=ru

, , - . , , - .

Because this server is a Global Catalog (GC) server, it also has copiesof the following directory partitions:

DC=msk,DC=mycorp,DC=ru

. , - repadmin. , . . - :

Current NTDS Connection Objects

Default-F:irst-Site-Name\MID1Connection Name : 828a2adb-a24b-45dB-bfOc-b65aa4cbfb95Administrator Generated?; AUTO

Ffcepiiil Option*

p1 'Ewefideil Siie Catilguiatjcfl

I? Cem(ti*tiM!eew*S*(a-,,

iv Sit* L**. ard Site U4; Cpr

p1 ifef-Sfle iVa-spoiiConfiguration-

F Subrtata

f7 Active Oi-ectarji |

,


: GUID. - Active Directory Sites and Services - Automatically generatedX , GUID. AUTO Automatically generated. , , :

Default-First-Site-Name\MID1Connection Name : From MIDI

Administrator Generated?: YES

. . , .

, . Ring neighbor. . , -:

Reasons for this connection:Directory Partition (DC=msk,DC=mycorp,DC=ru)Replicated because the replication partner is a ring neighbor,

Directory Partition (CN=Schema,CN=Configuration,DC=mycorp,DC=ru)Replicated because the replication partner is a ring neighbor.

Directory Partition (CN=Configuration,DC=mycorp,DC=ru)Replicated because the replication partner is a ring neighbor.

surpassedthe allowed failure limit. , . , . , . , .

Directory Partition (CN=Schema,CN=Configuration,DC=mycorp,DC=ru)This replication connection is created because anotherreplication partner has surpassed tne allowed failure limit.

Active Directory 1308 . The Directory-Service consistency checker has noticed that 2 successive replicationattempts with CN=NTDS Settings,CN=ROOT2,CN=Servers,CN=Defaiilt-First-Site-Name,CN=Sites,CN=Configuration,DC=mycorp,DC=ruhave failedover a period of 787 minutes. The connection object for this server will


be kept in place, and new temporary connections will established to ensurethat replication continues. The Directory Service will continue to retryreplication with CN=NTDS Settings,CN=ROOT2,CN=Servers,CN=Default-First-Site-Name,CN=Sites.CN=Configuration,DC=mycorp.DC=ru; once suc-cessful the temporary connection will be removed*.

. , repadmin /showreps, - . , ,

Current Direct Replication Partner Status

Directory Partition: CN=Scheroa,CN=Configuration,DC=mycorp,DC=ru

Partner Name: Default-First-Site-Name\ROOT2Partner QUID: 2FF7FBAA-6607-472C-B3A5-CCF8445DE5BF

Last Attempted Replication: 5/7/2002 7:59:14 PH (local)Last Successful Replication: 5/7/2002 7:59:14 PH (local)Number of Failures: 0Failure Reason Error Code: 0Failure Description: The operation completed successfully.Synchronization Flags: DRS_WRIT_REP,DRS_INIT_SYNC,DRSJ>ER_SYNC

USN of Last Property Updated: 4928

USN of Last Object Updated; 4928

Transport: Intre-Slte RPC

, :

Directory Partit ion: CN=Schema,CN=Conf igura t ion,DC=mycorp,DC=ru

Partner Name: Default-First-Site-Name\MIDi

Partner QUID: 531BD902-1AEF-4F29-A8DC-D27AOCFC30Q3

Last Attempted Replication: 5/8/2002 9:52:06 AM (local)

Last Successful Replication: 5/7/2002 7:59:14 PH (local)

Number of Failures: 2

Failure Reason Error Code: 1722

Failure Description: T.he RPC server'is unavailable.Synchronization Flags: DRS_WRrr_REP,DRS_INIT_SYNC,DRS_PER_SYNC

USN of Last Property Updated: 6117

USN of Last Object Updated: 6117

Transport: Intra-Site RPC

. , 2 - , RPC. ,

Active Directory ______^___ 231

, .

, - .

,

, , . - , GUID, , -... . , - , :

Change Notifications for this Directory Partition

Server Name: Default-First-Site-Name\ROOT2

Object GUID: A6563E8F-9A97-40A9-9C28-23BA4F348593Time Added: 23.03.2002 13:14:31Flags: DRS_WRIT_REPTransport: RPC

:

Server Name: Site-1\VM20002Object GUID: 5E29E488-863B-46B1-B7EB-6C54A63D6A44Time Added: 23.06,2016 14:27:53

Flags: DRSJIRIT_REPTransport: RPC

. - 15 . - - . 15 , . . - , .

, . , , . - , - :

Performance Statistics at Time of Report

REPLICATION

Replicator notify pause after modify (sees): 300

Replicator notify pause between OSAs (sees): 30


Replicator intra site packet size (objects):

Replicator intra site packet size (bytes):Replicator inter site packet size (objects):

Replicator inter site packet size (bytes):Replicator maximum concurrent read threads:Replicator operation backlog limit:

Replicator thread op priority threshold:Replicator intra site RPC handle lifetime (sees):

Replicator inter site RPC handle lifetime (sees):Replicator RPC handle expiry check interval (sees):

KCC

Repl topology update delay (sees):Repl topology update period (sees):KCC site generator fail-over (minutes):KCC site generator renewal interval (minutes):KCC site generator renewal interval (minutes):CriticalLinkFailuresAllowed:MaxFailureTimeForCrtticalLink (sec):NofiCriticalLinkFailuresAllowed:MaxFailureTimeForNonCriticalLink (sec):IntersiteFailuresAllowed:MaxFailureTimeForlntersiteLink (sec):KCC connection failures:IntersiteFailuresAllowed:IntersiteFailuresAllowed:

, - Active Directory . - . , - .

-. . - -. , . . . , , - . , -. , .


(Access Denied)

:

, , -, Active Directory Sites and Services;

.

The following error occurredduring the attempt to synchronize the domain controllers: Replicationaccess was denied*. , , , - , . , - . - . - - . Enterprise Admins, . - , , ActiveDirectory Sites and Services , (, Enterprise Admins ). - , - .

, - 1265: The attempt to establish a replication link with parameters.... failed with the following status: Access is denied*. - repadmin /showreps .

, - , repadmin/showreps , , Access denied error*

. -, , , , Active Directory.

- . Windows NT Windows 2000.

234 __ Active Directory:

.

1. (Key Distribution Center), - Kerberos, , - - . .

.

) :

net stop kdc

, (disabled), .

) kdc , klist /purge ( Windows 2000 Resource Kit).

) :

netdom resetpwd //:


) kde

net start kdc

2. repadmin /kcc repadmin /sync 1265 , - - .

) :

repadmin /add


. , - (Event ID 1265) .

) , kdc.

.

) KDC Kerberos.

) ( -, ). :

repadmin /sync cn=schema,cn=configuration,

) , - .

) , - .

) , kdc.

(Target account name is incorrect) - . , Active Directory Sitesand Services Replication monitor Logon Failure: The target account name is incorrect. - NTDS Replication,Event ID 1645:

The Directory Service received a failure while trying to perform anauthenticated RPC call to another Domain Controller. The failure isthat the desired Service Principal Name (SPN) is not registered on thetarget server. The server being contacted is afb720fd-38c7-4505-aa9f-b658ca124773._.msdcs.mycorp, ru. The SPN being used is

E3514235-4B06-11D1-AB04-OOC04FC2DCD2/afb720fd-38c7-4505-aa9f-b658ca124773/mycorp.ruiwycorp.ru.

Please verify that the names of the target server and domain arecorrect.

Please also verify that the SPN is registered on the computer accountobject for the target server on the KDC servicing the request. If thetarget server has been recently promoted, it will be necessary forknowledge of this computer's identity to replicate to the KDC beforethis computer can be authenticated.


NTDS , Event 1265:

The attempt to establish a replication link with parametersPartition:

CN=Configuration,DC=MyDomain,DC=net Source DSA DN: CN=NTDS

Settings,CN=HyServer,CN=Servers,CN=Default-First-Site-Name, CN=Sites,CN=Configuration,DC=MyDomain,DC=com

Source DSA Address: 5e5abf03-e902-48e2-a326-41977dee176d. jnsdcs.mycorp.ru

Inter-site Transport (if any): failed with the following status:Logon

Failure; The target account name is incorrect. The record data is the

status code. This operation will be retried.

:

+ (Services Principle Name SPN) ;

crustedDo-main (TDO), System.

trustedDomain

, TDO System, Active Directory Users and Computers - , -, msk.mycorp.ru. Trus-ted Domain.

5* Acl-ive Directory Users and Computers

^Active Directory Users and Computers

1 mycorp.ruSI- _2J Builhn:+1 UJ Compeers Domain Controllers

Vj LostundFound

v*i - Testri; IE) Users

d

L H3 D Fi-Canf IguraHon

^Rle Replication Service(VjfileLinks

UJlPSecLnty

03 Meetings

dfs Configuration

FR5 Settings

flelinkTr ckirigContainer

^J Policies Containerand IA5 Servers Access Chech Contariet

RFC 5ervkei

its Container

TDO

Active Directory:

, , - .

) , , Active Directors- Domains and Trusts, - PDC .

) Trusts, - , . - . . , - - * (shortcut).

) . , - . - , .

) :

NETDOM TRUST . /1:./UserD:administrator /PasswordD:* /UserO:administrator /PasswordO:*/Reset /TwoWay

UserD UserO - .

) , -.

) , -. .

SPN

) IP , - . ping GUID, . - 720^1-387-4505-9?-5812477._15.. .

) ADSIEdk. , , .

ADSIEdit : .

) servicePrincipalName. ,


GUID. , 3514235-4B06-llDl-AB04-OOC04FC2DCD2/afb720fd-38c7-4505-aa9f-b658cal24773/mycorp.ru.

) , Remove. Edit Attribute . - Add.

) Edit Attribute *@. Add.

) - servicePrincipalName.

.

, :

GUID;

+ servicePrincipalName .

.

RPC (RPC Server Not Available)

. - :

;

+ .

- 125: The attempt to establish a replicationlink with parameters .... failed with the following status: The RPC Server isunavailable*.

, , - , repadmin /showreps .

- ping. ' GUID. - , .

ping 19c9dbc3-d5d2-47cc-94e3-5135adfc4bcb._msdcs.mycorp.ru

Pinging mid1.msk.mycorp.ru [10.1.2.2] with 32 bytes of data:

Request timed out.

9-2005


Request timed out.Request timed out.Request timed out.

DNS (ONS Lookup failure) . Active Director)' -. - - . - 1265:The attempt to establish a replication link with parameters .... failed withthe following status: DNS lookup failure.

, , - repadmin /showreps .

DNS - , DNS? Active Directory*. .

ping GUID . , - _rnsdcs, . nsloo-kup , DNS . , - . , - DNS.

, :

net stop dns clientnet start dns client

, , - DNS - .

, , , . , -, IP . , - . ipconfig /flushdns. - , CNAME DNS, -. , . , - .

(Directory service too busy) - NTDS Replication Event ID=1083:

Active Directory

"Replication warning: The directory is busy. It couldn't update objectCN=ROOT2,CN=Servers,CN=Default-First-Site-Name, CN=Sites, CN=ConfIguration,DC=mycorp, OC=ru with changes made by directory afb720fd-38c7-4505-aa9f-b658ca124773._msdcs.mycorp.ru. Will try again later."

, -, GUID .

Active Directory- - .

.

) ping GUID IP . :

ping afb720fd-38c7-4505-aa9f-b658ca124773,jnsdcs.mycorp.ru

) Ldp, - hind .

) . - , .

On:CM=ROOT2,CN=3 canoniralName: mvccrp.iii/Co(ifiquralion/!!itea/SiteA/SErv(T4/ROOT2;l>cn:FWOI2:

?'> otijectClass: lop: reiver;I > name; ROOT?;


( ), - Ldp . - Delete DN -. .

, , .

, - . - . .

.

repadmin /sync cn=configuration,

repadmin /sync

}', 1083. .

SP2 , Event ID 8438 The directory service istoo busy to complete the replication operation at this time. .

( LDAP 82)

Active Directory*, . , . NTUS =125: Theattempt to establish a replication link with parameters ... failed with thefollowing status: There is a time difference between the client and server.

jctive Directory 243

- . PDC . .

, -, :

net time \\__ /set

Access denied, , .

, . , .

- ID=1084 Replicationfailed with an internal error ID, :

Replication error: The directory replication agent (DRA) couldn'tupdate object CN="8f03823f-410c-4483-86cc-B820b4f2103fDEL:66aab46a-2693-4825-928f-05f6cd12c4e6",CN=DeletedObjects,CN=Configuration,DC=mycorp,DC=ru (GUID66aab46a-2693-4825-928f-05f6cd12c4e6) on this system with changeswhich have been received from source server 62d85225-76bf-4b46-b929-25a1bb295f51._msdcs.mycorp.ru. An error occurred during theapplication of the changes to the directory database on this system.

, , , Active Directory , , , . , . SP2. , SP2 .

- , ntdsutil (. *).


.

1) GUID -. 66aab46a-2693-4825-928f-05f6cdl2c4e6, .

2) Ldp . bind .

3) Delete, DN .

4) , . - 1084 , . 1-3-

(No more end-point)

repadmin/showreps. .

TCP - . netscat. TCP,

, RFC DirectoryReplication Service . , DNS - IP.

49

. , . repadmin /sync. , repad-min /showreps . - . , , .

,

repadmin /showreps , , .

Active Directory (replication has been pre-empted

, - . - .


Replication posted, waiting

, - . , - .

Last attempt @ ... was not successful

, , - , , . , , , .

, - , -. , - DRA Pending Repli-cation Synchronizations.

Active Direc-tory . - . - , . , -, - , ; , .

, SP2, SP2 .

- . , . AdvancedTroubleshooting [3], [6]. , .

- . , , . , , , .

Windows 2000 ActiveDirectory , . : ActiveDirectory ; - Active Directory. !

, , , - , .

, Windows NT, , , - . , - Windows 2000, : . Windows 9^/NT, - Windows 2000/XP. Windows

248 Activej)ireclory:

2000. , . , , - Windows 2000, . Microsoft, , , -, Windows, - . .

, Windows NT 4.0 config.pol ntconfig.pol, - NETLOGON. - -, . ; HKEY_CURRENT_USER (HKCU) HKEYJLO-CAL_MACHINE (HKLM) ,

- , ActiveDirectory. (). : SYSVOL ActiveDirectory. : . Active Directory.

, . , - : * , - , . , . Windows 2000 Windows XP Pro, .

, - %systemroot%\5ystern3 2 \grouppolicy. - -? , , , LSDOU. - :

(L);

(S):

249

+ (D);

(OU).

, . , , -, . , . - . , , . . , - , : , - , . .

, - . , , . Windows2000/ - . .

, , - HKLM \Software\Microsoft\Winctows NT\CurrentVer-sion\Wmlogon\Gpextensions. , - .

, , : , . . scecli.dll, .


: . , . , , , , .

, :

Software settings Software Instal lation

[ , WindowsInstaller - . Windows Scripting Host (WSH) HKLM

-Software settings , -Softwarc Installation Windows Installer, -

, Internet Explorer

Windows Settings Security settingsWindows Settings Scripts

AdministrativeTemplates

Windows Settings Internet ExplorerMaintenanceWindows Settings Folder Redirection

Windows Settings Security settingsWindows Settings Remote InstallationServicesWindows Settings Scripts

AdministrativeTemplates

, Desktop,My Documents Startup, , ,

. Windows Scripting Host (WSH) HKCU

, - .

- .

, - . , ActiveDirectory SYSVQL , Active Directory, - (Group Policy Container GPC). - (Group PolicyTemplate - ).

CN=Policies,CN=System,


, GUID, . , -, GUID, - dispalyName. , , GUID {6AC1786C-Ol6F-llD2-945F-OOC04fB9S4F9} - Default domain controllers policy. gPCFileSysPath: )' . - 1:1, . . , - .

, gPCFileSysPath \\.\51\.\18\{6AC1786C-Ol6F-llD2-945F-OOC04fB984F9}. . , GUID , .

, - . - . , - , .

- , . - .

SYSVOL , . - .

, ... , , , Active Directory , - Active Directory, SYSVOL -, NTFRS. - , - , , , - , .

display-Name gPCFileSysPath, :

gPCFunctionaH Version Group Policy,

. . .

253

gPCMachineExtensionsName GUID ,

gPCUserExtensionsName GUID -,

versionNumber . - , gpt.ini , , -

.

, : Active Directory - SYSVOL. Machine User, , , - , , , Class Store. -. -, Packages, packageRegistration - . -, Class Store HKEY_CLASSES_ROOT, Active Direc-tory. , - -. Class Store -, -, .

. (. . GUID ), :

Adm , -. .adm

Machine , , -

User , , -

Gpt.ini

Machine User R , .


, , - :

Applications

Documents &Settings

-

Microsoft - Security ConfigurationEditor, IE Admin, RIS

-. .aas. , INI, . - FoIderStatus - . SID = . :

[FoIderStatus]Application Data=11Desktop=11My Documents=11My Pictures=2Start Menu=0Proorams=2Startup=2[Application Data]s-1-1-0=\\fzhub\personal\Xusername>l\Application data[Desktop]s-1-1-u=\\fzhub\personal\*username)!\Desktop[ Documents]s-1-1-0=\\fzhub\personal\Kusername*\HyDocuments[My Pictures][Start Menu]s-1-1-0=\\fzhub\personal\*username*\Start Menu[Programs][Startup], . , SecurityEditor \Windows NT\Secedit. - gpttmpLinf , - . :[Unicode]Unicode^yes[System Access]

. . .

255

Scripts

-

- -/ /- - - , - -

MinimumPasswordAge = MaximumPasswordAge = 42MifiimumPasswordLength = 0PasswordComplexity = 0PasswordHistrySize = 1Lockout Bad Co Lint = 0HequireLogonToChangePassword = 0ForceLogoffWhenHourExpire = 0ClearTextPassword = 0[Kerberoa Policy]MaxTicketAge = 10HaxflenewAge = 7MaxServiceAge = 600MaxClockSkew = 5TicketValidateClient = 1[Version]signature="$CHICAGQ$"Revislon=1

scripts.ini. , -, -, ,

, User Machine Regist-ry.pol. , Administ-rative Templates . , Adm. , , Adm, .

ActiveDirectory ( version Number), gpt.ini. .

, AD Replica-tion Monitor, - Show Group policy object status. - , :


1 lJ- Pnliry Obfe

Time flestndenDelaut Dorian Connotois Policy

{124(16D -11D 2-945-

257

. 1, 65 536! , - 1 (Computer), 10 (User), 65 546. - - 65 536.

. , , version-Number INTEGER. 16 - , . .

, DLL. - . . - , , -, , . - , .

GUID:

GUID DLL.

Windows XP - Internet Explorer EFS

IP

GUID

{3610cda5-77cf-lld2-8dc5-OOcG4fa31a66)(35378EAC-683F-11D2-A89A-OOC04FBBCFA2}{25537BA6-77A8-11D2-9B6C-OOOOF8080861}{42B5FAAE-6536-lld2-AF5A-OOOOF87571E3}(42603 1-47-485 2-hOca-ac3d37bfcb39(

{827D319E-6EAC-11D2-A4EA-OOC04F79F83A){A2E30F80-D7DE-1 ld2-BBDE-OOC04F86AE3B){B1BE8D72-6EAC-1 1D2-A4EA-OOC04F79F83A}{c6dc 5466-785;i- 1 1 d2-84dO-04167}{e437hclc-aa7d- 1 Id2-a382-0(ic04r991e27}

DLL

dskquota.dll

userenv.dll

fdeploy.dll

gptext.dll

Hptext.dll

scecli.dll

iedkcs.dll

scecli.dll

appmgmts.dll

gptext.UU


, - . - . - , , - .

Qi.-sb.-ed

Bas~proee;ifi(j Kress a slow network

PTOESSS ev&n a| ife Eiioup | have

.1

(Allow pro-cessing across a slow network connection). , . , , , , . , ;, .

- :

( );

.

. : ? , , , ( )

259

? , , - . , - .

-. - . , , -. .

, - ! . . , - - , .

? , , ? :

1. , 0 , - ();

2. , 4 , - (t2);

3. D=t2-tl;

4. , D D;

5. D: D=D/3;

6. =(4 * 1000/D ' 8)/1024 (/).

Group policy slow linkdetection . , , 500 /. , - 4,294,967,200 /. , - , . - , .

. - ; - , . - ;


. , - . - , . - : - . , , My Documents . -- , - . - , (Tdeploy.dll). - , , - , , .

.

( ) ( )

90 + (-)

90 + (-)

5

(7 -45 ) +(0-24) (7 -45 ) +(0-24) (7 -45 ) +(0-24)

261

, . - 30 . , - . -, .

. -, , - . - , . - . , - - . - (Disable background refresh of Group Policy). - .

, . : - , . - . . , ,, , . - , , - . . , - , .

-, , , . - , .

, , -, . , - , , , - . , - .

(Process even if the Group Policy Objectshave not changed). , , .


- .

DllName

ProcessGroup-Policy

ProcessGroup-PolicyEx

NoMachinePoHcy

NoUserPoHcy

NoSlowLink

NoBackgroimd-Policy

NoGPOList-Changes

PerUserLocaJ-Settings

RequiresSuc-cessful Registry

E liable Asynchro-nousProcessing

-

t

, - , - , , - , - , - - , - , - , , - , -

, - - - - , - - - - Windows XP0 ( ) ,1 0 ( ) ,1 0 ( ) ,1 0 ( ) ,1 0 ( ) ,1

0 ( ) ,1

0 ( ) ,1

0 ( ) ( ),1

263

, . , , - : . :

;

+ ;

+ ;

.

, , , - , :

Domain Admins;

+ Administrators;

Enterprise Admins;

Group Policy Creators.

LSDOU, , : , - , - . , , , . - , -. Windows 2000 - :

+ ;

+ ;

+ ;

.

, - . , . , - . ,

/v ".w. DiuKtniy )?;1',-.'

, - .

.

1. . , -

2. , - , , , .

3. , , .

, - , . , , . , , , -,

- . , , . , , - , .

265

, .

. , .- , - . 100% , , - , . . , , - , (No override)., , . -, - .

, . - , , - , .

, , - , , -. , - , .


, Windows Explorer. , .

. , , -, . , , , - . .

(loop-back processing). . UGP. - U . , S, CGP, , . , CGP. U - S. :

+ CGP;

UGP.

267

- : .

CGP - UGR , , UGP My Documents , CGP , - . CGP UGP, CGP,. . , .

UGP - - , .

, . - . - .

, , . , - My Documents , , - .

, . , - . , -, . , . -, -. . , - , - . -, - - . - )' -, .

, , . . , -, . -

Active Directory:

, , . - , -, .

. : , Active Director)', . , Read, Write, Full Control, Apply Group Policy. Read Apply . , , .

Read , , . , . :

,

Create Delete Apply

Full All child All child GroupControl Read Write objects objects Policy

Authenticated Users / /Creator ownersDomain Admins / / / /Enterprise Admins / / / /SYSTEM / / / /

, Authenticated Users, - , . - , , , Authenticated Users, , , .

. , . , , . -, , Domain Admins. Apply Group Policy , .

Enterprise Admins . - Domain Admins, , -, , .

269

Creator Owners. To, - , . , -, , - :

+ ( ) , ;

, , ;

.

, , - -. . - Active Directory', .

, , . , - .

-, Authenticated Users ., ' , , - - . Authenticated Users - Apply Group Policy, - . , .

-, . - .

-, Deny., , - , . :

Authenticated Users , ;

+ , ;

- (Deny Apply Group Policy) - .


, - . ! . Deny - .

- , . .

- (. ' Active Directory*), - .

, , , - Deny.

, FAZAM 2000 FullArmor. - - .

, , ( , ). , . , . HKLM\Soft-ware\Microsot't\Windows\CurrentVersion\Group Policy\History, - HKCU\Software\Microsoft\Windows\Cur-rentVersion\G.roup Policy\History.

GUID - . - , 1, ..., . , 0 , 1 , 2 . . - , , - , 1 . .

271

DlspIayName DSPath

Active Directory. , Active Director)'

FileSysPath . UNC- SYSVOL %SystemRoot%\System32\GroupPolicy

GPOLink :0 ;1 ();2 ;3 ;4

GPOName . Local Group Policy. GUID

Iparam . - (, )

Options , . -, , -

Version ,

, , - . ,

10-2005


, - . , , - , .

? , , - , .

, ActiveDirectory, SYSVOL, . , , - -. , , - . , - .

, Group Policy. Active Directory Users and Computers. ;. , , -, . , Group Policy , .

273

- , - PDC. , .

. . - - . - . , , - .

, . ? , , - . - , . - , -, , PDC - ? , -, - Active Directory (. - Active Directory*). -, -, , PDC - . , .

. , , - Active Directory. -. , ?

, , Active Directory. : - , , GroupPolicy, New .., ! , . , . -, _-___, , , , .

. , - Active Directory? , .

. , - , ,


? . - , , ' New , Add - All.

f DelaJl Domain Conlrdieti Policy

I Default Domain Polcy

I Time Reduction

: . Active Directory. , , . , .

. , - . , - , -:

;

.

: , - Active Directory . , , , - .

, -. , -

275

Administrators, Enterprise Admins, Domain Admins,Group Policy Creator Owners. :

EnterpriseAdminsDomainAdmins

, ,

Administrators

Group PolicyCreator Owners

, , - OITI AD, , - ! [ ; . ; , ( )

. , - . . -, : -, !

, Group Policy CreatorOwners (GPCO). -. . . - GPCO. - . - ! Administrators Domain Admins ( Enterprise Admins - ; , ). -, , , .

, -, . GPCO. ! GPCO , -. , . GPCO .

, GPCO -, .


- . - . , - , - .

, : - Active Directory GUID - SYSVOL , . Active Direc-tory , , -, , - , .

,

Full Control , , Read Group PolicyWrite Create all child objects Delete all child objects

,

Full Control , , Modify , , Read & Execute List folder contentsReadWrite , ,

, , -. .

- . Active Directory.

277

Active Directory

, - Active Directory, . ?

-, gpLink. , . , - Read Write .

-, , - , gpOptions. - Read Write .

. - . Active Directory Users and Compu-ters. , , ADSIEdit Ldp.

nattonot Control Wizard

Pel million iSelect the permissions you want lo delegate

ecific

V/nle countrytode0 Read cPl.nkQWilegPLmk

EJ Write gPOptiais|P Read Managed By

:

* Software settings ( );

Windows Settings ( Windows);

Administrative Templates ( ).


, . - , Group Policy.

, - . , - Microsoft Installer. MSI- -. , . - . , Microsoft Office, setup.exe, MSI-: data 1 msowc. - , - Web.

, .

. . - . }7 UNC. , , , - , . , . , , . , , .

, . : -, -. . . , , , , -, , .

, .

, . , -, W2KIVANOV.

279

. ? ?

*ie loop* ot

? ?

, - ? .

, ?

, , . , - . - .

Microsoft Installer -, . - MST , - . , - , .

280 Activjjirectory:

, . - - . , - .

- Active Directory, , , -. , . , .

,

, - :

;

;

+ , -, .

, , . , ,

Windows , , Windows Scripting Host, . , 1\\1\{ }\-chine\Scripts Startup Shutdown.

, ( ), , . , - ( ) -, ,

2!

, :

, :

Run logon scripts synchronously

Run startup scripts asynchronous!}'

Run startup scripts visible

Run shutdown scripts visible

Maximum wait time for GroupPolicy scripts

-

, , - 581\\8. , . - .

Windows : . - -


. . :

;

;

;

+ ;

;

;

;

;

IPSecurity.

:

;

;

Kerberos.

. . ( , - . [1]).

Store passwords under reversible encryption ( ) . -for aJl users in domain .

- :

Enforce password . . history ,

.

Maximum password age. , . I 999

Minimum password age , , : 1 999

. cied. .

283

Minimum password lengthPasswords must meet , complexity requirements .

, : ; ;; ,

User must logon tochange password,

. - * -, .

Account lockout threshold

Account locout duration Reset lockout count after

Kerberos Kerberos ( Kerberos . [1], [3]).

Kerberos

Maximum lifetime foruser ticketMaximum lifetime forservice ticket

Maximum lifetime foruser ticket renewal

Maximum tolerance forcomputer clocksynchronization

TGT. - . 10 . . 10 , , - , . . 7 . , 5

. . .

Active Directory:

Enforce user logonrestrictions

(Enabled), , , , , , - , . , ,

:

;

;

, - . - Security. , .

_

Audit Account Logonevents

Audit AccountManagement

Audit Directory ServiceAccessAudit Logon EventsAudit Object Access

Audit Policy ChangeAudit Privilege UseAudit Process Tracking

Audit System Events

. .

. . , .

-. -, . - . - , .

285

Access this computerfrom the networkAct as part of theoperating system

Add workstationsto domain

Back up files anddirectoriesBypass traverse checking

Change the system time

Create a pagefileCreate a token object

Create permanentshared objectsDebug programsDeny access to thiscomputer from thenetworkDeny logon as a batchjobDeny logon as a service

Deny logon locallyEnable computer anduser accounts to betrusted for delegation

Force shutdown froma remote systemGenerate security auditsIncrease quotasIncrease schedulingpriorityLoad and unloaddevice drivers

. . , . - 10 - , . - - , - -. ,

. , - - .

. . .


Lock pages in memoryLog on as a batch job

Log on as a service

Log on locallyManage auditing andsecurity logModify firmwareenvironment valuesProfile single processProfile systemperformanceRemove computer fromdocking station

Replace a process leveltokenRestore files anddirectoriesShut down the systemSynchronize directoryservice dataTake ownership of filesor other objects

. . firmware. Intei . - :

-, . , , , -. .

Additional restrictions foranonymous connectionsAllow server operators toschedule tasks (domaincontrollers only)Allow system to be shutdown without havingto log onAllowed to ejectremovable NTFS mediaAmount of idle timerequired beforedisconnecting session

- ServerOperators - - . , NTFS ,

. , .

287

Audit the access of globalsystem objectsAudit use of Backup andRestore privilegeAutomatically log off userswhen logon time expires

Automatically log off userswhen logon time expires (local)

Clear virtual memory pagefilewhen system shuts downDigitally sign clientcommunication (always)Digitally sign clientcommunication (when possible)Digitally sign servercommunication (always)Digitally sign servercommunication (when possible)Disable CTRL+ALT+DELrequirement for logon

Do not display last user namein logon screen

LAN Manager AuthenticationLevel

Message text for usersattempting to log onMessage title for usersattempting to log onNumber of previous logonsto cache (in case domaincontroller is not available)Prevent system maintenanceof computer account password

Prevent users from installingprinter driversPrompt user to changepassword before expiration

- - - . -. Windows XP Windows 2000 . SP1 Windows XP CTRL+ALT+DEL - . - , - LAN Manager. He NTLM - Windows 9x NTLM v.2 - Windows NT- , , - . 50 7 . Users - , -

. . .


Recovery Console: Allowautomatic administrative logonRecovery Console: Allow floppycopy and access to all drivesand all folders

Rename administrator accountRename guest accountRestrict CD-ROM access tolocally logged-on user only

Restrict floppy access to locallyloggcd-on user only

Secure channel: Digitallyencrypt or sign secure channeldata (always)

Secure channel: Digitallyencrypt secure channel data(when possible)

Secure channel: Digitally signsecure channel data(when possible)

Secure channel: Require strong(Windows 2000 or later)session key

- - :AlJowWiidCards - ;AllowAllPaths ;AllowRemovableMedia - , ;NoCopyPrompt Administrator Guest CD.,, CD . - , CD . , CD , < . , . - , . , , , - - - . , - , - , - (Windows 2000 ). -

. . .

289

Secure system partition(for RISC platforms only)Send unencrypted passwordto connect to third-partySMB serversShut down system immediatelyif unable to log security auditsSmart card removal behavior

Strengthen default permissionsof global system objects(e.g. Symbolic Links)

Unsigned driver installationbehavior

Unsigned non-driverinstallation behavior

RISC- - SMB- , SAMBA , - - - [' . :No Action ;Lock Workstation ;Force Logoff , ( DOS, -) . - -, - , . ;Silently succeed ;Warn but allow installation , ;Do not allow installation , , -, -

. . - .

- . - , , . , , -


. 4 . - :

;

+ ; 365 ;

.

Maximum Log size forAppiication LogMaximum Log Size forSecurity LogMaximum Log Size forSystem LogRestrict Guest access toApplication LogRestrict Guest access toSecurity LogRestrict Guest access toSystem LogRetain ApplicationLog forRetain Security Log for

Retain System Log for

Retention method forApplication LogRetention method forSecurity LogRetention method forSystem LogShutdown system whensecurity audit log is full

, 512 , 512 , 512

, , ,

Windows :

:

;

, - ;

, ; .

_ 291

. Enterprise Admins , , .

- , .

- , . - , . - , Enterprise Admins, .

Windows :

. Computer Management Services. - , . :

+ Automatic ();

Manual ();

Disabled ()

, , . ;

Full control ( );

Read ( );

Start, Stop and Pause (, );

Write ( );

Delete ()

Windows :

-. :

Inherit () , , - ;


+ Overwrite () , , - ;

Ignore () .

, , , .

Windows :

- , , . , :

Inherit () , , -.

Overwrite () , , .

Ignore () - .

Windows :

, ( . [3]):

Automatic Certificate Request Settings ,

, -, .

Trusted Root , Certification Authorities ,

-. , - . -

. . .

293

Enterprise Trust - , , -

Encrypted Data EFS.Recovery Agents

. , - , -

Windows : IPSecurity IPSecurity , - . Active Directory, , - IPSecurity - . , , . , - , -, .

IPSec , - , , . ^

IPSecurity

Secure server (require security) , - - IPSec

Server (Request security) , - no IPSec, - ,

Client (Respond only) . - - ,

, , -, , Secure Server. Server, . , , Client, -


, .

IPSec

.ADM, - , , . HKEY_LOCAL_MACHINE.

, , , . ' , - .

- Windows 2000, :

SP2 ;

;

Windows XP.

295

WindowsNet Meeting

Internet Explorer

Task Scheduler

Terminal Services

Windows Installer

Windows Messenger

User profiles

Scripts

Logon

Disk Quotas

Net Logon

Group PolicyRemote Assistance

System Restore .

, - - , Internet Explorer - . - , . ( . [!}) Windows Installer, , -, , - - ./ WindowsMessenger

: , - , . . , - . - , . - . - Windows XF, - , - , - NctLogon. -, , Windows.Net Server (. ) - Windows XP - Windows XP

. . .


Error Reporting

Windows File Protection

Remote Procedure Call

Windows Time Service

DNS client

Offline files

Network connections

Windows XP' -. , - , - RPC. Windows XP Windows .Net Server

DNS. ,

297

, . - , .

+ , , .

, Active Directory. , - , . - , .

. -. - . , - , .

- Active Directory, , - , .

Add a program from CD-ROM or floppy disk

To add a program from a CD-ROM or floppy disk, click CD or Floppy.

To add new Windows Featur^ device drivers, and system updatesover the Internet, click Windows Update,

A


, , - , :

+ ;

> , ;

, , - .

-: , , .

Windows : Internet Explorer InternetExplorer Authorization Kit (IEA.K) - Internet Explorer ^ -. .

Internet Explorer

Browser title . -

Internet Explorer Outlook Express. - Microsoft Internet Explorer provided by "Outlook Express provided by*. , InternetExplorer

Animated Bitmaps , - ! Internet Explorer

Custom Logo ,

Browser Toolbar buttons - -

Connection settings ,

,

Automatic Browser Configuration .INS -Proxi settings , -

. , .

User Agent String

URLFavourites and Links

Important URLs

ChannelsSecurity zones andcontent ratingsAuthenticodc settings

Programms

, . ,Mozilla 4.0 (compatible; MSIE 5.0; Windows NT; )

, , -

- (, . .) , -

- , , -

Windows :

, , Windows Scripting Host, - . , 51\.\-Ucies\{GUID }\5\51 Logon Logoff.

. , Run logon scripts synchronously, - . . , - .

, , - 51\.\5118. , . .

, . , - -.


Windows : - Enterprise Trust. - , , - . - .

Windows : - -! RIS. - :

Allow ;

+ Don't care , ,, , , - ;

+ Deny .

:

- , - ;

+ - ' ;

- :

- .

Windows : :

My Documents ( My Pictures);

Application Data;

Start Menu:

Desktop.

301

My Documents , - ( , -!), .

Application Data - Documents and settings\HMH . -. , Microsoft Word - Templates, \Wbrd\Templates Application Data. , , , .

Start Menu Documents and settings\HMH - Start, . - Start . - , , .

Desktop - Documents and settings\HMH - , . Start, ' . - .

, . - ? . . - .

, , - , . . . , , , , - .

. - , .


. , , .

.

. %username%, \\root 1\users\%username%\My Documents. - , - .

+ , - , .

0

l-t JjjranS (he jtej t^ckrave rigH;

- ftjfieji Removal -

!' Leave *e & irs (he toeMibft when poBcj1

.

. /, - . ,

4 .

4 -, ,

303

, - .

My Pictures, My Documents, - , .

ADM, - , ,

4 . - HKEY_CURRENTJJSER.

. - , . , - .

- Windows 2000, :

SP2 ;

;

Windows XP.

WindowsNet Meeting -

- - Net Meeting, ,

Internet Explorer Internet Explorer .

Windows Explorer . Windows 2000/Windows. , Windows 2000 Windows XP: 'Folder Options Tools; File Windows Explorer; Map Network Drive

Disconnect Network Drive*; Search Windows Explorer; - ;

. . .

11-2005

Active Directory:

Manage - ;

;

;

;

; Hardware; DFS;

;

; Computers Near Me*

My Network Places; Entire Network My Network

Places;

;

;

.

- Windows XP: Security; -; ;

; ; Shared Documents My Computer; ; . , File Open. - . - - . -

. . .

Microsoft ManagementConsole

Task Scheduler

305

Terminal Services

Windows Installer

Windows Messenger

Windows Update

Windows Media Flayer

Start

Active Desktop

Active Directory

Add/Remove Programs

Display

Printers

Regional and LanguageOptions

Offline Files

Network Connections

- . Windows XP/Windows .Net Server - Windows Installer/ WindowsMessenger . Windows XP - Windows XP - Start . , , - , - , -, Active Desktop - Active Directory: , - Network Neigborhood . Windows XP - -/ / - Web, / ActiveDirectory DFS

- . , - NetworkConnections: -, , - . .

. cied. .


User profiles

Scripts

Ctr+AH+Dd Options

Logon

Group Policy

Power Management

-, . , - . , Windows 2000 Windows XP:

;+ 2000 ; ; , ;+ ;

; ; ; -. Windows XP: ;

Windows;

; ,

, - - , - Ctrl+Alt+Del - , (. ) -

Active Directory - , . ) -. .

307

, , . , - . . . ActiveDirectory . , , . , - . -, ?

, .

1 -. ( ), , - , - , , .

, . ( , ), - , - , :

, -;

;

-;

- .

+ . ; - , - , .

. , - : - , .

, , ,

Active Directory:

- . !

, - Active Directory, , , .

, .

, Windows NT - . . . , . . , -, - , , , -. , - [1]. - Windows 9x Windows NT, - .

. , -. . -, , -, , , , . .

? ! Active Directory - . : , . .

, . - . , , , -, . , , - . . - , - . - , - , , - .

. .

309

? .

1. - Active Directory?

2. - ?

3. : ?

4- , , ?

5. , - ?

, , , Active Director)' , - . . , .

, }' , - Windows NT 4.0 Active Directory . .

, Active Directory , Active Directory? - ?

, - Windows NT, - . -

: ? - , . , ? - , ?

310 Active Directory;

ActiveDirectory:

^

Active Directory

, - , -- , , , - ,

:

Msk-Acct;

+ Msk-Sales;

+ Nsk-Acct;

Nsk-Sales;

East-Acct;

East-Sales,

Windows NT - . .

, , . , : .

. - , , - . , . .

311

, , , . , - - . . , - .

, . , , . . - , . , .

.

, . , . ?

- , . , . , . - , , .


. - . , - , - ? ( - ), 90% . , . - , . - , - 90% , , 10%. ,

/

/ -/

, - . , - . , , , , . , , - : , - .

. , , . .

313

Active Directory? ?

: ?

, , ?

, ?

, Active Directory -

- , - , - , - - - , . , - . , , 10

.

msk.mycorp.ru siberia.mycorp.ru


Active Director}'*,, , . -? ! msk Siberia . -, , -, , . - , - . , .

.

msk.mycofp.ru

\1 5

mycorp.ru. - . - -. 1. mycorp.ru .

, msk Siberia . mycorp.ru, -

_1 315

. -, : - , . . , - , -: , * . - ( 26) - .

msk.mycorp'.ru. - . , . , - , . , - .

siberia.mycorp.ru. - , . . : -. ! 5 , - .

, . , . - , , . -. , , . , - , , .

, . -, . , , - .

, , . , -, . , -

316 Active rjirectory:

. *: - , , - , , - .

, , Active Director)7 , , .

- . . :

GPRESULT - ;

GPOTOOL ;

+ ADDIAG , , - ;

SECEDIT -;

FAZAM2000 , - -.

GPRESULT

, , , . :

+ /v ;

/s -; ;

/ ;

+ / .

, , , , , .

. , , . , ,

317

. /v. -, Gpresult /s.

, , /v.

:

Microsoft (R) Windows (R) 2000 Operating System Group Policy Result toolCopyright (C) Microsoft Corp. 1981-1999

Created on 13Operating System Information:Operating System Type: ProfessionalOperating System Version: 5.0.2195Terminal Server Mode: Not supported

Created on ( ...)- - 13? Windows 2000. - , . Windows XP.

Terminal Server Mode. Win-dows .

, . :

User Group Policy results for:CN=u2,OU=test,DC=mycorp,DC=ru

Domain Name: MYCORPDomain Type: Windows 2000Site Name: Default-First-Site-Name

Roaming profile: (None)Local profile: C:\Documents and Settings\u2The user is a member of the following security groups:

MYCORP\Domain Users

\EveryoneBUILTIN\Users\LOCALNT AUTHORITY\INTERACTIVENT AUTHORITY\Authenticated Users

The user has the following security privileges;

Bypass traverse checkingShut down the systemRemove computer from docking station

Active Directory:

, , . . , . , :

;

(- , - );

.

, - . , , , .

Last time Group Policy was applied: 13 Group Policy was applied from:

ROOTt.mycorp.ru

, . , US.

; , - , . . .